forest_admin_agent 1.0.0.pre.beta.21

data/lib/forest_admin_agent/routes/security/authentication.rb

@@ -0,0 +1,95 @@
+require 'jwt'
+
+module ForestAdminAgent
+  module Routes
+    module Security
+      class Authentication < AbstractRoute
+        include ForestAdminAgent::Builder
+        include ForestAdminAgent::Http::Exceptions
+
+        def setup_routes
+          add_route(
+            'forest_authentication',
+            'POST',
+            '/authentication', ->(args) { handle_authentication(args) }
+          )
+          add_route(
+            'forest_authentication-callback',
+            'GET',
+            '/authentication/callback', ->(args) { handle_authentication_callback(args) }
+          )
+          add_route(
+            'forest_logout',
+            'POST',
+            '/authentication/logout', ->(args) { handle_authentication_logout(args) }
+          )
+
+          self
+        end
+
+        def handle_authentication(args = {})
+          if args.dig(:headers, 'action_dispatch.remote_ip')
+            Facades::Whitelist.check_ip(args[:headers]['action_dispatch.remote_ip'].to_s)
+          end
+          rendering_id = get_and_check_rendering_id args[:params]
+
+          {
+            content: {
+              authorizationUrl: auth.start(rendering_id)
+            }
+          }
+        end
+
+        def handle_authentication_callback(args = {})
+          if args[:params].key?(:error)
+            raise AuthenticationOpenIdClient.new(args[:params][:error], args[:params][:error_description],
+                                                 args[:params][:state])
+          end
+
+          if args.dig(:headers, 'action_dispatch.remote_ip')
+            Facades::Whitelist.check_ip(args[:headers]['action_dispatch.remote_ip'].to_s)
+          end
+          token = auth.verify_code_and_generate_token(args[:params])
+          token_data = JWT.decode(
+            token,
+            Facades::Container.cache(:auth_secret),
+            true,
+            { algorithm: 'HS256' }
+          )[0]
+
+          {
+            content: {
+              token: token,
+              tokenData: token_data
+            }
+          }
+        end
+
+        def handle_authentication_logout(_args = {})
+          {
+            content: nil,
+            status: 204
+          }
+        end
+
+        def auth
+          ForestAdminAgent::Auth::AuthManager.new
+        end
+
+        protected
+
+        def get_and_check_rendering_id(params)
+          raise Error, ForestAdminAgent::Utils::ErrorMessages::MISSING_RENDERING_ID unless params['renderingId']
+
+          begin
+            Integer(params['renderingId'])
+          rescue ArgumentError
+            raise Error, ForestAdminAgent::Utils::ErrorMessages::INVALID_RENDERING_ID
+          end
+
+          params['renderingId'].to_i
+        end
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/routes/system/health_check.rb

@@ -0,0 +1,22 @@
+module ForestAdminAgent
+  module Routes
+    module System
+      class HealthCheck < AbstractRoute
+        include ForestAdminAgent::Builder
+        def setup_routes
+          add_route('forest', 'GET', '/', ->(args) { handle_request(args) })
+
+          self
+        end
+
+        def handle_request(_args = {})
+          if AgentFactory.instance.container.resolve(:cache).get('config')[:is_production]
+            AgentFactory.instance.send_schema(force: true)
+          end
+
+          { content: nil, status: 204 }
+        end
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/serializer/forest_serializer.rb

@@ -0,0 +1,176 @@
+require 'jsonapi-serializers'
+
+module ForestAdminAgent
+  module Serializer
+    class ForestSerializer
+      include JSONAPI::Serializer
+
+      attr_accessor :attributes_map
+      attr_accessor :to_one_associations
+      attr_accessor :to_many_associations
+
+      JSONAPI::Serializer.send(:include, ForestSerializerOverride)
+
+      def initialize(object, options = nil)
+        super
+      end
+
+      def base_url
+        Facades::Container.cache(:prefix)
+      end
+
+      def type
+        class_name = object.class.name
+        @@class_names[class_name] ||= class_name.demodulize.underscore.freeze
+      end
+
+      def format_name(attribute_name)
+        attribute_name.to_s
+      end
+
+      def add_attribute(name, options = {}, &block)
+        @attributes_map ||= {}
+        @attributes_map[name] = format_field(name, options)
+      end
+
+      def format_field(name, options)
+        {
+          attr_or_block: block_given? ? block : name,
+          options: options,
+        }
+      end
+
+      def attributes
+        forest_collection = ForestAdminAgent::Facades::Container.datasource.collection(object.class.name.demodulize.underscore)
+        fields = forest_collection.fields.select { |_field_name, field| field.type == 'Column' }
+        fields.each { |field_name, _field| add_attribute(field_name) }
+        return {} if attributes_map.nil?
+        attributes = {}
+
+        attributes_map.each do |attribute_name, attr_data|
+          next if !should_include_attr?(attribute_name, attr_data)
+          value = evaluate_attr_or_block(attribute_name, attr_data[:attr_or_block])
+          attributes[format_name(attribute_name)] = value
+        end
+        attributes
+      end
+
+      def evaluate_attr_or_block(attribute_name, attr_or_block)
+        if attr_or_block.is_a?(Proc)
+          # A custom block was given, call it to get the value.
+          instance_eval(&attr_or_block)
+        else
+          # Default behavior, call a method by the name of the attribute.
+          begin
+            object.try(attr_or_block)
+          rescue
+            nil
+          end
+        end
+      end
+
+      def add_to_one_association(name, options = {}, &block)
+        options[:include_links] = options.fetch(:include_links, true)
+        options[:include_data] = options.fetch(:include_data, false)
+        @to_one_associations ||= {}
+        @to_one_associations[name] = format_field(name, options)
+      end
+
+      def has_one_relationships
+        return {} if @to_one_associations.nil?
+        data = {}
+        @to_one_associations.each do |attribute_name, attr_data|
+          next if !should_include_attr?(attribute_name, attr_data)
+          data[attribute_name.to_sym] = attr_data
+        end
+        data
+      end
+
+      def has_many_relationships
+        return {} if @to_many_associations.nil?
+        data = {}
+        @to_many_associations.each do |attribute_name, attr_data|
+          next if !should_include_attr?(attribute_name, attr_data)
+          data[attribute_name.to_sym] = attr_data
+        end
+        data
+      end
+
+      def add_to_many_association(name, options = {}, &block)
+        options[:include_links] = options.fetch(:include_links, true)
+        options[:include_data] = options.fetch(:include_data, false)
+        @to_many_associations ||= {}
+        @to_many_associations[name] = format_field(name, options)
+      end
+
+      def relationships
+        forest_collection = ForestAdminAgent::Facades::Container.datasource.collection(object.class.name.demodulize.underscore)
+        relations_to_many = forest_collection.fields.select { |_field_name, field| field.type == 'OneToMany' || field.type == 'ManyToMany' }
+        relations_to_one = forest_collection.fields.select { |_field_name, field| field.type == 'OneToOne' || field.type == 'ManyToOne' }
+
+        relations_to_one.each { |field_name, _field| add_to_one_association(field_name) }
+
+        data = {}
+        has_one_relationships.each do |attribute_name, attr_data|
+          formatted_attribute_name = format_name(attribute_name)
+          data[formatted_attribute_name] = {}
+
+          if attr_data[:options][:include_links]
+            links_self = relationship_self_link(attribute_name)
+            links_related = relationship_related_link(attribute_name)
+            data[formatted_attribute_name]['links'] = {} if links_self || links_related
+            data[formatted_attribute_name]['links']['related'] = {} if links_self
+            data[formatted_attribute_name]['links']['related']['href'] = links_self if links_self
+          end
+
+          object = has_one_relationship(attribute_name, attr_data)
+          if object.nil?
+            data[formatted_attribute_name]['data'] = nil
+          else
+            related_object_serializer = ForestSerializer.new(object, @options)
+            data[formatted_attribute_name]['data'] = {
+              'type' => related_object_serializer.type.to_s,
+              'id' => related_object_serializer.id.to_s,
+            }
+          end
+        end
+
+        relations_to_many.each { |field_name, _field| add_to_many_association(field_name) }
+
+        has_many_relationships.each do |attribute_name, attr_data|
+          formatted_attribute_name = format_name(attribute_name)
+          data[formatted_attribute_name] = {}
+
+          if attr_data[:options][:include_links]
+            links_self = relationship_self_link(attribute_name)
+            links_related = relationship_related_link(attribute_name)
+            data[formatted_attribute_name]['links'] = {} if links_self || links_related
+            data[formatted_attribute_name]['links']['related'] = {} if links_self
+            data[formatted_attribute_name]['links']['related']['href'] = links_self if links_self
+          end
+
+          if @_include_linkages.include?(formatted_attribute_name) || attr_data[:options][:include_data]
+            data[formatted_attribute_name]['data'] = []
+            objects = has_many_relationship(attribute_name, attr_data) || []
+            objects.each do |obj|
+              related_object_serializer = JSONAPI::Serializer.find_serializer(obj, @options)
+              data[formatted_attribute_name]['data'] << {
+                'type' => related_object_serializer.type.to_s,
+                'id' => related_object_serializer.id.to_s,
+              }
+            end
+          end
+        end
+        data
+      end
+
+      def relationship_self_link(attribute_name)
+        "/#{self_link}/relationships/#{format_name(attribute_name)}"
+      end
+
+      def relationship_related_link(attribute_name)
+        "/#{self_link}/#{format_name(attribute_name)}"
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/serializer/forest_serializer_override.rb

@@ -0,0 +1,103 @@
+module ForestAdminAgent
+  module Serializer
+    module ForestSerializerOverride
+      def self.included(base)
+        base.instance_eval do
+          def self.find_serializer_class_name(object, options)
+            return options[:serializer].to_s if options[:serializer]
+            return "#{options[:namespace]}::#{object.class.name}Serializer" if options[:namespace]
+            return object.jsonapi_serializer_class_name.to_s if object.respond_to?(:jsonapi_serializer_class_name)
+
+            "#{object.class.name}Serializer"
+          end
+
+          def self.find_recursive_relationships(root_object, root_inclusion_tree, results, options)
+            root_inclusion_tree.each do |attribute_name, child_inclusion_tree|
+              # Skip the sentinal value, but we need to preserve it for siblings.
+              next if attribute_name == :_include
+
+              serializer = JSONAPI::Serializer.find_serializer(root_object, options)
+              serializer.relationships
+              unformatted_attr_name = serializer.unformat_name(attribute_name).to_sym
+
+              # We know the name of this relationship, but we don't know where it is stored internally.
+              # Check if it is a has_one or has_many relationship.
+              object = nil
+              is_collection = false
+              is_valid_attr = false
+              if serializer.has_one_relationships.key?(unformatted_attr_name)
+                is_valid_attr = true
+                attr_data = serializer.has_one_relationships[unformatted_attr_name]
+                object = serializer.has_one_relationship(unformatted_attr_name, attr_data)
+              elsif serializer.has_many_relationships.key?(unformatted_attr_name)
+                is_valid_attr = true
+                is_collection = true
+                attr_data = serializer.has_many_relationships[unformatted_attr_name]
+                object = serializer.has_many_relationship(unformatted_attr_name, attr_data)
+              end
+
+              unless is_valid_attr
+                raise JSONAPI::Serializer::InvalidIncludeError, "'#{attribute_name}' is not a valid include."
+              end
+
+              if attribute_name != serializer.format_name(attribute_name)
+                expected_name = serializer.format_name(attribute_name)
+
+                raise JSONAPI::Serializer::InvalidIncludeError,
+                      "'#{attribute_name}' is not a valid include.  Did you mean '#{expected_name}' ?"
+              end
+
+              # We're finding relationships for compound documents, so skip anything that doesn't exist.
+              next if object.nil?
+
+              # Full linkage: a request for comments.author MUST automatically include comments
+              # in the response.
+              objects = is_collection ? object : [object]
+              if child_inclusion_tree[:_include] == true
+                # Include the current level objects if the _include attribute exists.
+                # If it is not set, that indicates that this is an inner path and not a leaf and will
+                # be followed by the recursion below.
+                objects.each do |obj|
+                  obj_serializer = JSONAPI::Serializer.find_serializer(obj, options)
+                  # Use keys of ['posts', '1'] for the results to enforce uniqueness.
+                  # Spec: A compound document MUST NOT include more than one resource object for each
+                  # type and id pair.
+                  # http://jsonapi.org/format/#document-structure-compound-documents
+                  key = [obj_serializer.type, obj_serializer.id]
+
+                  # This is special: we know at this level if a child of this parent will also been
+                  # included in the compound document, so we can compute exactly what linkages should
+                  # be included by the object at this level. This satisfies this part of the spec:
+                  #
+                  # Spec: Resource linkage in a compound document allows a client to link together
+                  # all of the included resource objects without having to GET any relationship URLs.
+                  # http://jsonapi.org/format/#document-structure-resource-relationships
+                  current_child_includes = []
+                  inclusion_names = child_inclusion_tree.keys.reject { |k| k == :_include }
+                  inclusion_names.each do |inclusion_name|
+                    current_child_includes << inclusion_name if child_inclusion_tree[inclusion_name][:_include]
+                  end
+
+                  # Special merge: we might see this object multiple times in the course of recursion,
+                  # so merge the include_linkages each time we see it to load all the relevant linkages.
+                  current_child_includes += (results[key] && results[key][:include_linkages]) || []
+                  current_child_includes.uniq!
+                  results[key] = { object: obj, include_linkages: current_child_includes }
+                end
+              end
+
+              # Recurse deeper!
+              next if child_inclusion_tree.empty?
+
+              # For each object we just loaded, find all deeper recursive relationships.
+              objects.each do |obj|
+                find_recursive_relationships(obj, child_inclusion_tree, results, options)
+              end
+            end
+            nil
+          end
+        end
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/services/ip_whitelist.rb

@@ -0,0 +1,100 @@
+require 'ipaddress'
+require 'net/http'
+
+module ForestAdminAgent
+  module Services
+    class IpWhitelist
+      RULE_MATCH_IP = 0
+      RULE_MATCH_RANGE = 1
+      RULE_MATCH_SUBNET = 2
+
+      def initialize
+        fetch_rules
+      end
+
+      def use_ip_whitelist
+        @use_ip_whitelist ||= false
+      end
+
+      def rules
+        @rules ||= []
+      end
+
+      def enabled?
+        use_ip_whitelist && !rules.empty?
+      end
+
+      def ip_matches_any_rule?(ip)
+        rules.any? { |rule| ip_matches_rule?(ip, rule) }
+      end
+
+      def ip_matches_rule?(ip, rule)
+        case rule['type']
+        when RULE_MATCH_IP
+          ip_match_ip?(ip, rule['ip'])
+        when RULE_MATCH_RANGE
+          ip_match_range?(ip, rule['ipMinimum'], rule['ipMaximum'])
+        when RULE_MATCH_SUBNET
+          ip_match_subnet?(ip, rule['range'])
+        else
+          raise 'Invalid rule type'
+        end
+      end
+
+      def ip_match_ip?(ip1, ip2)
+        return both_loopback?(ip1, ip2) unless same_ip_version?(ip1, ip2)
+
+        if ip1 == ip2
+          true
+        else
+          both_loopback?(ip1, ip2)
+        end
+      end
+
+      def same_ip_version?(ip1, ip2)
+        ip_version(ip1) == ip_version(ip2)
+      end
+
+      def ip_version(ip)
+        (IPAddress ip).is_a?(IPAddress::IPv4) ? :ip_v4 : :ip_v6
+      end
+
+      def both_loopback?(ip1, ip2)
+        IPAddress(ip1).loopback? && IPAddress(ip2).loopback?
+      end
+
+      def ip_match_range?(ip, min, max)
+        return false unless same_ip_version?(ip, min)
+
+        ip_range_minimum = (IPAddress min)
+        ip_range_maximum = (IPAddress max)
+        ip_value = (IPAddress ip)
+
+        ip_value >= ip_range_minimum && ip_value <= ip_range_maximum
+      end
+
+      def ip_match_subnet?(ip, subnet)
+        return false unless same_ip_version?(ip, subnet)
+
+        IPAddress(subnet).include?(IPAddress(ip))
+      end
+
+      private
+
+      def fetch_rules
+        response = Net::HTTP.get_response(
+          URI("#{Facades::Container.cache(:forest_server_url)}/liana/v1/ip-whitelist-rules"),
+          { 'Content-Type' => 'application/json', 'forest-secret-key' => Facades::Container.cache(:env_secret) }
+        )
+
+        raise Error, ForestAdminAgent::Utils::ErrorMessages::UNEXPECTED unless response.is_a?(Net::HTTPSuccess)
+
+        body = JSON.parse(response.body)
+        ip_whitelist_data = body['data']['attributes']
+
+        @use_ip_whitelist = ip_whitelist_data['use_ip_whitelist']
+        @rules = ip_whitelist_data['rules']
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/services/logger_service.rb

@@ -0,0 +1,20 @@
+require 'mono_logger'
+
+module ForestAdminAgent
+  module Services
+    class LoggerService
+      attr_reader :default_logger
+
+      def initialize(logger_level = 'Info', logger = nil)
+        @logger_level = logger_level
+        @logger = logger
+        @default_logger = MonoLogger.new('forest_admin')
+        # TODO: HANDLE FORMATTER
+      end
+
+      def levels
+        %w[Debug Info Warn Error]
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/utils/condition_tree_parser.rb

@@ -0,0 +1,57 @@
+require 'jwt'
+require 'active_support/time'
+
+module ForestAdminAgent
+  module Utils
+    class ConditionTreeParser
+      include ForestAdminDatasourceToolkit::Exceptions
+      include ForestAdminDatasourceToolkit::Utils
+      include ForestAdminDatasourceToolkit::Components::Query::ConditionTree
+      include ForestAdminDatasourceToolkit::Components::Query::ConditionTree::Nodes
+
+      def self.from_plain_object(collection, filters)
+        if leaf?(filters)
+          operator = filters['operator'].titleize.tr(' ', '_')
+          value = parse_value(collection, filters)
+
+          return ConditionTreeLeaf.new(filters['field'], operator, value)
+        end
+
+        if branch?(filters)
+          aggregator = filters['aggregator'].capitalize
+          conditions = []
+          filters['conditions'].each do |sub_tree|
+            conditions << from_plain_object(collection, sub_tree)
+          end
+
+          return conditions.size == 1 ? conditions[0] : ConditionTreeBranch.new(aggregator, conditions)
+        end
+
+        raise ForestException, 'Failed to instantiate condition tree'
+      end
+
+      def self.parse_value(collection, leaf)
+        schema = Collection.get_field_schema(collection, leaf['field'])
+        operator = leaf['operator'].titleize.tr(' ', '_')
+
+        if operator == Operators::IN && leaf['field'].is_a?(String)
+          values = leaf['value'].split(',').map(&:strip)
+
+          return values.map { |item| !%w[false 0 no].include?(item) } if schema.column_type == 'Boolean'
+
+          return values.map(&:to_f).select { |item| item.is_a? Numeric } if schema.column_type == 'Number'
+        end
+
+        leaf['value']
+      end
+
+      def self.leaf?(filters)
+        filters.key?('field') && filters.key?('operator')
+      end
+
+      def self.branch?(filters)
+        filters.key?('aggregator') && filters.key?('conditions')
+      end
+    end
+  end
+end

data/lib/forest_admin_agent/utils/error_messages.rb

@@ -0,0 +1,38 @@
+module ForestAdminAgent
+  module Utils
+    class ErrorMessages
+      AUTH_SECRET_MISSING = 'Your Forest authSecret seems to be missing. Can you check that you properly set a Forest
+authSecret in the Forest initializer?'.freeze
+
+      SECRET_AND_RENDERINGID_INCONSISTENT = 'Cannot retrieve the project you\'re trying to unlock. The envSecret and
+renderingId seems to be missing or inconsistent.'.freeze
+
+      SERVER_DOWN = 'Cannot retrieve the data from the Forest server. Forest API seems to be down right now.'.freeze
+
+      SECRET_NOT_FOUND = 'Cannot retrieve the data from the Forest server. Can you check that you properly copied the
+Forest envSecret in the Liana initializer?'.freeze
+
+      UNEXPECTED = 'Cannot retrieve the data from the Forest server. An error occured in Forest API'.freeze
+
+      INVALID_STATE_MISSING = 'Invalid response from the authentication server: the state parameter is missing'.freeze
+
+      INVALID_STATE_FORMAT = 'Invalid response from the authentication server: the state parameter is not at the right
+format'.freeze
+
+      INVALID_STATE_RENDERING_ID = 'Invalid response from the authentication server: the state does not contain a
+renderingId'.freeze
+
+      MISSING_RENDERING_ID = 'Authentication request must contain a renderingId'.freeze
+
+      INVALID_RENDERING_ID = 'The parameter renderingId is not valid'.freeze
+
+      REGISTRATION_FAILED = 'The registration to the authentication API failed, response: '.freeze
+
+      OIDC_CONFIGURATION_RETRIEVAL_FAILED = 'Failed to retrieve the provider\'s configuration.'.freeze
+
+      TWO_FACTOR_AUTHENTICATION_REQUIRED = 'TwoFactorAuthenticationRequiredForbiddenError'.freeze
+
+      AUTHORIZATION_FAILED = 'Error while authorizing the user on Forest Admin'.freeze
+    end
+  end
+end

data/lib/forest_admin_agent/utils/id.rb

@@ -0,0 +1,48 @@
+module ForestAdminAgent
+  module Utils
+    class Id
+      include ForestAdminDatasourceToolkit::Utils
+      include ForestAdminDatasourceToolkit
+      def self.unpack_id(collection, packed_id, with_key: false)
+        primary_keys = ForestAdminDatasourceToolkit::Utils::Schema.primary_keys(collection)
+        primary_key_values = packed_id.to_s.split('|')
+        if (nb_pks = primary_keys.size) != (nb_values = primary_key_values.size)
+          raise Exceptions::ForestException, "Expected #{nb_pks} primary keys, found #{nb_values}"
+        end
+
+        result = primary_keys.map.with_index do |pk_name, index|
+          field = collection.fields[pk_name]
+          value = primary_key_values[index]
+          casted_value = field.column_type == 'Number' ? value.to_i : value
+          # TODO: call FieldValidator::validateValue($value, $field, $castedValue);
+
+          [pk_name, casted_value]
+        end.to_h
+
+        with_key ? result : result.values
+      end
+
+      def self.unpack_ids(collection, packed_ids, with_key: false)
+        packed_ids.map { |item| unpack_id(collection, item, with_key: with_key) }
+      end
+
+      def self.parse_selection_ids(collection, params, with_key: false)
+        attributes = begin
+          params.dig('data', 'attributes')
+        rescue StandardError
+          nil
+        end
+
+        are_excluded = attributes&.key?('all_records') ? attributes['all_records'] : false
+        input_ids = attributes&.key?('ids') ? attributes['ids'] : params['data'].map { |item| item['id'] }
+        ids = unpack_ids(
+          collection,
+          are_excluded ? attributes['all_records_ids_excluded'] : input_ids,
+          with_key: with_key
+        )
+
+        { are_excluded: are_excluded, ids: ids }
+      end
+    end
+  end
+end